MindSuburbia

I bet lots of you know the popular forum board phpBB: it’s really nice and full of features/mods.
Even if some time ago anybody was concerend about security issues hidden in the sourcecode, the community has always done a good job and when i recently happened to browse the sources i saw so many anti-hacking lines that it seems to me a real tank agains hacking (well: we’ll see).

What is really powerful of phpBB+community is that there are thousands of mods and you could start enabling functions in a metter of minutes.

I then realized that the majority of the users, usually don’t even own the http connection to their websites, and of course would never dream of having an SSL certificate and enable https connection to their forum.

What i had to do in my case (not my website, unfortunately), was to enable the SSL login and use our https and SSL certificate we paid so much , so i just turned on the secure cookie option in the main configuration: well, this is not a good option for a webmaster.
First you will suck up a lot of bandwidth and CPU power for almost nothing (unless you want a *really* secure connection or are in a sniffing-prone environment )
Second, you will probably end up stopping Googlebot and all the others from indexing correctly your public forum (yes, i know most of you prefer privacy , but sometimes a good indexing is just what you need! )

The remaining option was disabiling cookie secure, but as i don’t like to share business passwords with others, i needed to find a solution.

Well, what i wanted is to do like mail.yahoo.com (never saw that little Why this is secure? link that had appeared in the last few months, on the login page?): stay http, but load the login POST action as https, so it will be with SSL encryption and nice privacy

I was a bit doubtful when i saw this link on the phpBB community forums, because they said cookies would go mad: well i really don’t think so.

What i did is to change the line 410 (phpBB 2.0.21) in include/page_header.php from:

‘S_LOGIN_ACTION’ => ‘S_LOGIN_ACTION’ => append_sid(’login.’.$phpEx),

to

‘S_LOGIN_ACTION’ => append_sid(”https://”.$board_config['sitename'].$board_config['script_path'].’login.’.$phpEx),

and what happened is just what mail.yahoo.com does (keeping secure cookies disabled).
I tried a couple of “clear cookies” and login and nothing strange happened.

Well hope to be of help (and that does not introduce vulnerabilities!)